Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(41)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 12745043: code review 12745043: net/http: do not send malformed cookie domain attribute (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
11 years, 10 months ago by volker.dobler
Modified:
11 years, 10 months ago
Reviewers:
bradfitz
CC:
golang-dev, bradfitz
Visibility:
Public.

Description

net/http: do not send malformed cookie domain attribute Malformed domain attributes are not sent in a Set-Cookie header. Instead the domain attribute is dropped which turns the cookie into a host-only cookie. This is much safer than dropping characters from domain attribute. Domain attributes with a leading dot '.' are still allowed, even if discouraged by RFC 6265 section 4.1.1. Fixes issue 6013

Patch Set 1 #

Patch Set 2 : diff -r d7db8c804ffa https://code.google.com/p/go/ #

Patch Set 3 : diff -r d7db8c804ffa https://code.google.com/p/go/ #

Total comments: 4

Patch Set 4 : diff -r 7064d3304d65 https://code.google.com/p/go/ #

Unified diffs Side-by-side diffs Delta from patch set Stats (+92 lines, -15 lines) Patch
M src/pkg/net/http/cookie.go View 1 2 3 3 chunks +76 lines, -15 lines 0 comments Download
M src/pkg/net/http/cookie_test.go View 1 2 3 1 chunk +16 lines, -0 lines 0 comments Download

Messages

Total messages: 5
volker.dobler
Hello golang-dev@googlegroups.com (cc: bradfitz@golang.org, golang-dev@googlegroups.com), I'd like you to review this change to https://code.google.com/p/go/
11 years, 10 months ago (2013-08-12 09:51:33 UTC) #1
bradfitz
https://codereview.appspot.com/12745043/diff/6001/src/pkg/net/http/cookie.go File src/pkg/net/http/cookie.go (right): https://codereview.appspot.com/12745043/diff/6001/src/pkg/net/http/cookie.go#newcode295 src/pkg/net/http/cookie.go:295: var oldCookieValueSanitizer = strings.NewReplacer("\n", " ", "\r", " ", ...
11 years, 10 months ago (2013-08-12 15:48:35 UTC) #2
volker.dobler
PTAL https://codereview.appspot.com/12745043/diff/6001/src/pkg/net/http/cookie.go File src/pkg/net/http/cookie.go (right): https://codereview.appspot.com/12745043/diff/6001/src/pkg/net/http/cookie.go#newcode295 src/pkg/net/http/cookie.go:295: var oldCookieValueSanitizer = strings.NewReplacer("\n", " ", "\r", " ...
11 years, 10 months ago (2013-08-12 20:39:51 UTC) #3
bradfitz
LGTM
11 years, 10 months ago (2013-08-12 22:00:06 UTC) #4
bradfitz
11 years, 10 months ago (2013-08-12 22:14:37 UTC) #5 
*** Submitted as https://code.google.com/p/go/source/detail?r=1c523a432503 ***

net/http: do not send malformed cookie domain attribute

Malformed domain attributes are not sent in a Set-Cookie header.
Instead the domain attribute is dropped which turns the cookie
into a host-only cookie. This is much safer than dropping characters
from domain attribute.

Domain attributes with a leading dot '.' are still allowed, even
if discouraged by RFC 6265 section 4.1.1.


Fixes issue 6013

R=golang-dev, bradfitz
CC=golang-dev
https://codereview.appspot.com/12745043

Committer: Brad Fitzpatrick <bradfitz@golang.org>
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b